I’ve been auditing a website over the last few days that has been seriously compromised. The good news is that they are prepared and determined to fix the problem, the bad news is that they have so many potential holes it would take a small army to fix them all in a reasonable amount of time. I found myself saying something I really thought I’d never say - “What about a WAF?” There are two special circumstances that struck me about this situation that made me have a bit of a change of heart.
First of all, anyone who has read this site long enough knows that I’m pretty critical of WAFs in general, so I’m not here selling them or anything. They can represent a single point of failure in many applications, add additional complexity, have false positives and false negatives and require administrative overhead - not to mention the cost. But here is where I changed my mind. In this case the client had between 1,000-5,000 customer facing attack points to secure. There is no possible way they could fix that by hand in any reasonable timeframe.